The Web API project is already completely written and it uses User.Identity. There's also an MVC site that uses SimpleMembership. Is it possible to make both projects make use of the same user data for registration and authorization?
Related
I have an existing CRM built in ASP.NET MVC 5 using a razorhtml front end. I would like to break off part of the project into an Angular front end with .Net Core web api backend.
Essentially when a customer hits a "next" button on a certain page, the web api would be called and return a page in angular. The customer then completes a couple pages in the angular front end, sends info to the DB via the web api, which then returns the user to the old MVC project.
The issue I'm worried about is security. How can I authenticate the customer between the two applications?
Assuming your WebAPI is hosted on the same domain as your existing MVC solution you could opt for good old cookies (mind the HttpOnly and Path properties though). Given difference in technologies this might require some sort of reverse proxying to be put in place.
Alternatively you can generate a token on MVC application side and make your angular app pass it along through request headers to your API. On server side you would either write a custom middleware to handle opaque tokens or leverage existing .Net Core Identity that supports JWT out of the box.
Given you didn't share any specifics of your environment - it's hard to say if JWT would be an overkill for your use case but hopefully this gives you some context for further exploration.
We have a Spa client, which runs inside of a aspnet core web app (aspnet core spa template). The Api project is where the business logic and data access reside and can be called by other clients such as native, other Spas, etc… The web app is protected by a cookie middlewre with external providers to sign-in, while the web api is protected by bearer tokens.
We have noticed that if we add a reference in the Web app to the Api project, the Controllers defined in the Api project are available in the web app. So just by adding a reference, we can make a local ajax call to /api/data from Spa residing in the Web app. There is nothing extra we’re doing here, no custom controller resolvers, assembly loading, etc…
Is that how things now work in aspnet core mvc? Are we correct to assume that the web app will just discover the controllers, but ignore any program.cs/startup.cs from the Api project when it configures the host?
No. This is not how it works. First, the delineation between "MVC" and "Web Api" is more pedantic than anything at this point. In Core, they are the same. If your project is only going to be an API, you can leave a few things out of the standard MVC services, but it still use "MVC". As a result, calling something an "API" or "MVC" project doesn't really mean anything. You can mix and match to whatever degree you need.
If you have two separate projects, then you should follow that and keep everything separate. One should not have a dependency on the other. You can always "call" your API from your MVC project, just as with any other HTTP-hosted service. However, you won't be able to take advantage of things like UrlHelper to generate URLs for your API action from your MVC project. You would just need to "know" these.
If you want the two projects to be tightly integrated, then they shouldn't be two projects. Just have one website project, and move all your API and MVC stuff into it. Then, you'll truly have everything shared.
My question is based on ASP.net 5 and authentication. In particular, I'm trying to achieve integrating oAuth (2.0) into my solution as my logon method (the users can either logon using oAuth if this is how they registered, or directly with my own app). Using the template for an ASP.net 5 web app, I've successfully achieved the above but this isn't quite what I need.
I'm have an ASP.net 5 MVC (app1) for my front end UI and an ASP.net 5 web api application (app2) for my REST services, serving data to the UI. Nothing new to this approach.
I want my MVC front end (app1) to have no Entity Framework references and no reference to things like Sign in manager (if possible). Just keeping it as simple as possible. I have a login screen and I want to present the option to logon via facebook or google oAuth accounts. Instead of using the nice code MS kindly provides out of the box when you start a new ASP.net 5 web app (hey, why make life easy!), I want to use my web api to do as much as the work as it can (I realise somethings need to happen in app1 to make this work).
My goal is to keep my UI as simple as possible and offloading complex functionality (business logic, database access and other things such as caching) off to the web api app.
I'm having difficulties extracting the parts of the web app demo around oAuth, and moving it into the web api, to utilise from app1. Has anyone managed to do this before? Is this a bad idea? Has anyone a sample of this approach in new ASP.net 5 MVC.
Thanks for advice in advance!
We (that is ASP.NET) recommend you look at Identity Server. v4 is now built on top of .NET core. The OAuth components you see in templates for facebook, twitter et al aren't suitable for using against a WebAPI, they're there for interactive, browser based logins, not for javascript.
You would have your interactive app handle registrations as normal, then use Identity Server to issue a bearer token, pointing it to your identity database, and validate that within your WebAPI.
We don't recommend rolling your own.
You can build a WebAPI app with membership manager using ASP.NET Identity. ASP.NET Membership is now called ASP.NET Identity.
From the link you will see how you can create a WebAPI app that will support all basic ASP.NET membership functionalities (log-in, register, etc).
Once you have WebAPI setup with your (custom) ASP.NET membership storage (DB is auto-generated once you run the app.), you are set up with a RESTful web layer with data access. You can also customize the storage provider. See here: Overview of Custom Storage Providers for ASP.NET Identity.
The ASP.NET website (www.asp.net) has all the necessary information sufficient to create all that you said from scratch. For integrations with Facebook or others, you can check out this link: External Authentication Services with ASP.NET Web API (C#)
I am new to ASP.NET MVC and Web API and trying to get the basics. AFAIK, we have project templates in VS 2013, named as MVC, Web API and Both of them together.
I have gone through the tutorials and learned that we can make an API by using MVC alone as well as with Web API Template.
So, What are the differences between these, based on Architecture and Usage?
Basically, a Web API controller is an MVC controller, which uses HttpMessageResponse as the base type of its response, instead of ActionResponse. They are the same in most other respects. The main difference between the project types is that the MVC Application project type adds web specific things like default CSS, JavaScript files and other resources needed for a web site, which are not needed for an API.
MVC is used for creating web sites. In this case Controllers usually return a View (i.e. HTML response) to browser requests. Web APIs on the other hand are usually made to be consumed by other applications. If you want to allow other applications to access your data / functionality, you can create a Web API to facilitate this access. For example, Facebook has an API in order to allow App developers to access information about users using the App. Web APIs don't have to be for public consumption. You can also create an API to support your own applications. For example, we created a Web API to support the AJAX functionality of our MVC web site.
Microsoft changed the way they present the different templates. Now instead of using different templates for different project types, they encourage developers to mix ASP.NET technologies inside the same project as needed. Microsoft calls this vNext.
UPDATE: For ASP.NET Core, Web API has been integrated into the MVC 6 project type and the ApiController class is consolidated into the Controller class. Further details at: https://wildermuth.com/2016/05/10/Writing-API-Controllers-in-ASP-NET-MVC-6
My two cents...
In ASP.Net MVC – the MVC’s Controller decides what should be the View - i.e., the controller decides what the user should “see” (based on the current scenario or context), when they make a request.
In ASP.Net Web Forms, the ASPX pages decides what the user should “see” when they make a request.
But in Web API, there is no control/power to any of the Web API’s features to decide what the user should “see” when they make a request.
Web API is NOT a technology tied up with websites only. It can be used for multiple purposes – not only websites. So it doesn't know the meaning of rendering
Further Reading
Planning Web Solutions Today: Web Forms, ASP.NET MVC, Web API, and OWIN.
WCF or ASP.NET Web APIs? My two cents on the subject
The Next Generation of .NET – ASP.NET vNext
Getting Started with ASP.NET MVC 6
MVC controller derived from controller class. In Mvc you can returns views. Mvc achitecture uses to create an application. However Web apis are used to provide data to various application.
Web Api drives from Api controller and it doesn't return view.
Note: You can also create Web Api from MVC controller but you need to return result as JsonResult or other web api supported return types.
In addition to answers already provided here, its worth noting any controller which inherits from ApiController and having an action with Http verb POST can only have one [FromBody] input parameter. If using a MVC controller (deriving from 'Controller') you can have many post input parameters.
If i want to use WebAPI as a service to connect to multiple databases on different servers and retrieve the data that my MVC application will use what is the best way to do it?
I don't want do have ApiController(s) in the same project as my MVC project so do i need to add a new WebApi project (delete all except controllers and stuff that the template adds to have a clean project) that my MVC application will reference?
Here's the list of tutorials/blog posts i used to learn about WebAPI:
ASP.NET Web API - Screencast series with downloadable sample code
http://weblogs.asp.net/jgalloway/archive/2012/03/16/asp-net-web-api-screencast-series-with-downloadable-sample-code-part-1.aspx
Consuming ASP.NET Web API Service using HttpClient
http://debugmode.net/2012/03/03/creating-first-http-service-using-asp-net-web-api-part1-of-many/
http://debugmode.net/2012/03/07/consuming-asp-net-web-api-service-using-httpclient-part2-of-many/
CRUD operation using ASP.NET Web API and MVC4
http://www.dotnetglobe.com/2012/03/crud-operation-using-aspnet-web-api-in.html
http://www.dotnetglobe.com/2012/03/crud-operation-using-aspnet-web-api-in_28.html
Creating a .Net queryable client for ASP.Net Web API oData services
http://blog.petegoo.com/index.php/2012/03/11/creating-a-net-queryable-client-for-asp-net-web-api-odata-services/
Using HttpClient to Consume ASP.NET Web API REST Services
http://www.johnnycode.com/blog/2012/02/23/consuming-your-own-asp-net-web-api-rest-service/
Client side support with the ASP.NET Web API
https://msmvps.com/blogs/theproblemsolver/archive/2012/03/13/client-side-support-with-the-asp-net-web-api.aspx
Create and Consume ASP.Net Web API REST Services - MVC4
http://www.askamoeba.com/Opensource/Opensourcedetail/144/Create-and-Consume-ASP-Net-Web-API-REST-Services-MVC4
Building and consuming REST services with ASP.NET Web API using MediaTypeFormatter and OData support
http://robbincremers.me/2012/02/16/building-and-consuming-rest-services-with-asp-net-web-api-and-odata-support/
Using JSON.NET with ASP.NET Web API
http://blogs.msdn.com/b/henrikn/archive/2012/02/18/using-json-net-with-asp-net-web-api.aspx
Creating Custom CSVMediaTypeFormatter In ASP.NET Web API for Comma-Separated Values (CSV) Format
http://www.tugberkugurlu.com/archive/creating-custom-csvmediatypeformatter-in-asp-net-web-api-for-comma-separated-values-csv-format
Implementing CORS support in ASP.NET Web APIs
http://blogs.msdn.com/b/carlosfigueira/archive/2012/02/20/implementing-cors-support-in-asp-net-web-apis.aspx
How I see Web API
http://thedatafarm.com/blog/asp-net/how-i-see-web-api/
You may use a completely different project to host your Web API controllers. Yet in this case you need to think about the deployment.
Web API is just a web project. It will have its own config file. It will be likely that it will run in its own worker process (depending on how you deploy it).
So if you partition the Web API out, then you get more flexibility but you might end up duplicating a lot of config.
My advice is that, if you do, make sure both projects talk to the same base services projects. Partitioning can also make sense if this Web API might be used by third parties.